Re: Backup Mirrormode setup
by Meike Stone
Am Mi., 16. März 2022 um 21:39 Uhr schrieb Quanah Gibson-Mount
<quanah(a)fast-mail.org>:
>
>
>
> --On Wednesday, March 16, 2022 10:23 PM +0100 Meike Stone
> <meike.stone(a)googlemail.com> wrote:
>
> >
> > We are still using the bdb backend and the latest 2.4.59 (don't ask,
> > it will be replaced soon) and I remember, a "few" years ago, I had
> > problems with slapcat and online databases, because the server was
> > stucking for a while and answers were delayed ..
> > (The Admin Guide tells, that "Backups are managed slightly differently"
> > ...) Secondly, while offline, I can copy the whole database directory
> > including the transaction logs ..
>
> Ah, ok. Yes, you could set up a read-only consumer node to take backups
> from. I'd highly prioritize moving to a supported release of OpenLDAP with
> the back-mdb backend as well (I see you say it should be replaced soon). :)
>
Quanah, thanks for guiding me!
Meike
1 year
Re: Backup Mirrormode setup
by Meike Stone
Am Mi., 16. März 2022 um 19:31 Uhr schrieb Quanah Gibson-Mount
<quanah(a)fast-mail.org>:
>
>
>
> --On Wednesday, March 16, 2022 7:59 PM +0100 Meike Stone
> <meike.stone(a)googlemail.com> wrote:
>
> > Hello,
> >
> > what is the right solution to backup a Mirromode setup?
> > I've a simple setup with two servers, running in mirromode and a
> > virtual IP is moved on "request" between the two servers (nodes). The
> > DNS-Name of the virtual IP is used for the client ldap requests. The
> > server certificate is issued to the DNS name of the virtual IP, but
> > has two SANs for the both node names. The node names will be used for
> > replication in mirrormode. Everything is running well.
> > Can I set up a third (readonly) server, who only replicates the
> > Database from the "mirromode cluster'' using the DNS-Name without
> > problems and then shutdown slapd temporarily and splacat the database?
>
> You don't need to shut down slapd to slapcat the database, so I'm not clear
> what the concern is here? You should just do a periodic slapcat.
>
We are still using the bdb backend and the latest 2.4.59 (don't ask,
it will be replaced soon) and I remember, a "few" years ago, I had
problems with slapcat and online databases, because the server was
stucking for a while and answers were delayed ..
(The Admin Guide tells, that "Backups are managed slightly differently" ...)
Secondly, while offline, I can copy the whole database directory
including the transaction logs ..
Thanks Meike
1 year
Backup Mirrormode setup
by Meike Stone
Hello,
what is the right solution to backup a Mirromode setup?
I've a simple setup with two servers, running in mirromode and a
virtual IP is moved on "request" between the two servers (nodes). The
DNS-Name of the virtual IP is used for the client ldap requests. The
server certificate is issued to the DNS name of the virtual IP, but
has two SANs for the both node names. The node names will be used for
replication in mirrormode. Everything is running well.
Can I set up a third (readonly) server, who only replicates the
Database from the "mirromode cluster'' using the DNS-Name without
problems and then shutdown slapd temporarily and splacat the database?
Thanks Meike
1 year
migrate from RedHat openldap 2.4 to LTB OpenLdap 2.5
by Aaron Bennett
Hi,
I'm moving from a two-node CentOS 7 cluster running essentially the RedHat openldap-servers build (which I rebuild to use OpenSSL, but otherwise, left alone).
I've provisioned a new Rocky Linux 8 system and have installed OpenLDAP 2.5 from the LTB repository, and have moved the old slapd.d directory out of the way and put the slapd.d directory from the old servers in place. If I try to run slapd-cli status, it throws this:
olcAttributeTypes: value #8 olcAttributeTypes: Inconsistent duplicate attributeType: "pwdMustChange"
config error processing cn={5}samba,cn=schema,cn=config: olcAttributeTypes: Inconsistent duplicate attributeType: "pwdMustChange"
slapcat: bad configuration directory!
olcAttributeTypes: value #8 olcAttributeTypes: Inconsistent duplicate attributeType: "pwdMustChange"
config error processing cn={5}samba,cn=schema,cn=config: olcAttributeTypes: Inconsistent duplicate attributeType: "pwdMustChange"
slapcat: bad configuration directory!
Looking here: https://ltb-project.org/documentation/migrate_openldap_ltb_24_openldap_lt..., it looks like there's more going on. Does anyone have any input as to how to accomplish this? I do need to bring the old data in, ideally without having to make changes to the samba scheme under the hood.
Best,
Aaron
---
Aaron Bennett
Manager of Systems Administration
Clark University ITS
1 year
olcLastBind default to true
by Erik de Waard
$OpenLDAP: slapd 2.5.11
Hi, i've a weird case where olcLastBind defaults to TRUE.
When using convert (slaptest) method.
and explicit lastbind to off/false has no effect.
#Initialize slapd with convert method
slaptest -f /etc/openldap/slapd.conf.init -F /etc/openldap/slapd.d/
slapcat -n0 | grep LastBind
olcAttributeTypes: ( OLcfgDbAt:0.22 NAME 'olcLastBind' EQUALITY
booleanMatch S
olcLastMod $ olcLastBind $ olcLimits $ olcMaxDerefDepth $ olcPlugin $
olcRea
olcLastBind: TRUE
olcLastBind: TRUE
olcLastBind: TRUE
olcLastBind: TRUE
Tested with minimal config:
# stand-alone slapd config
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/nis.schema
#include /etc/openldap/schema/test.schema
# allow big PDUs from anonymous (for testing purposes)
sockbuf_max_incoming 4194303
moduleload back_ldap
#######################################################################
# database definitions
#######################################################################
database config
database mdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /var/lib/ldap
lastbind off
database monitor
Best regards,
1 year
syncprov-sessionlog-source cn=accesslog
by Michael Ströder
HI!
I wonder what the operational requirements are when using
syncprov-sessionlog-source cn=accesslog
instead of the in-memory session log.
E.g. what about configured logpurge?
What happens if the accesslog DB is completely deleted?
Ciao, Michael.
1 year
slapo-translucent and syncprov
by Christopher Paul
Hello openldap-technical,
I am wondering about slapo-translucent and syncprov. I am using it to
merge RFC2307bis data with an upstream Active Directory Service. It
seems to work pretty well. But I notice that the entries added do not
get entryuuid or entrycsn values. I guess this sort of makes sense,
because the source of truth for (most of) this data is upstream.
And so, this means then that syncprov overlay will not work for
translucent entries.
So I am wondering, what others are doing to replicate and synchronize
their translucent data across an OpenLDAP service?
I am guessing people probably use some dump and load schemes, which is
about all I can think to do at the moment.
many thanks,
Chris Paul | Rex Consulting | https://www.rexconsulting.net
1 year
secrets storage: userPassword,TLS keys best practices
by Christopher Paul
Hello openldap-technical,
I'm wondering what the OpenLDAP-technical World thinks about LDAP
authentication secrets. A couple observations and questions:
1. RFC 4519 allows userPassword to be multi-valued and it gives some
rationale which is logical, but it also seems to lack imagination.
There seem to be more possibilities for abuse by defining
attributeType this way than legitimate use cases. Is there any way
to force userPassword to be single-valued? Has anyone attempted this?
2. Assuming you decide to ditch passwords, and use TLS EXTERNAL, you
still have the problem of storing the key, and the risk that if the
key is stolen, than someone other than you can authenticate as you.
Of course store it on storage with permissions and ownership of
files set correctly. That goes without being said, but storage is
not always perfectly secure or private, so let's not trust it
completely. Short lifetimes would be one mitigation. And CRLs of
course. What else do people do?
3. Is there anyway to have ldap* commands read the key in from an
environment variable or call to gpg/secrets store /etc? Funky alias
/ bash-wrapper yeah but I'm looking for something less clunky.
many thanks,
Chris Paul | Rex Consulting | https://www.rexconsulting.net
1 year
Accesslog and Ppolicy overlays
by Benjamin Renard
Hello,
I try to enable accesslog overlay on a database with the overlay ppolicy
enabled (with brute-force protection). My goal is to build an historic
of users authentication fails and the effect of the ppolicy overlay on
their account.
I enabled accesslog on the database with logging of the "session"
operations and in this case, all users authentication fails are stored
as modification of the pwdFailureTime attribute. It's great but I also
would also like to have an explicit trace of the bind operation failure
(with the error message of ppolicy in reqMessage).
I also tried to configure the accesslog overlay on frontend and in this
case, I had an explicit trace of the bind failure but no trace of the
pwdFailureTime attribute modification.
Finally, I tried to configure the accesslog overlay on both frontend and
database levels, but accesslog on database seems to take over
the other and the result is identical with accesslog configured only
on database level.
Do you known how I could configure the accesslog overlay to log both
bind failure and the pwdFailureTime attribute modification ?
Regards,
--
Benjamin Renard - Easter-eggs
44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité
Phone: +33 (0) 1 43 35 00 37 - mailto:brenard@easter-eggs.com
1 year
Using logfile-format causes segfault
by Juergen.Sprenger@swisscom.com
When using option 'logfile-format' in my config, slaptest, slapadd, slapcat, slapindex, ... will segfault and cause a coredump.
This occurs with all available options for 'logfile-format'.
slapd itself is running fine, logs are written as expected with any option for 'logfile-format'.
I am using OpenLDAP 2.6.1, configure options: ./configure --enable-overlays=mod --enable-modules --with-tls=openssl
1 year
